13 Configuring User Attributes

The Oracle Identity Manager user management feature is configured and customized by using the configuration management feature. Configuration management helps customize the User Management UI and configure the user entity operations and attributes.

In Oracle Identity Manager, there are certain operations involved in the life-cycle management of each entity. Some of the basic operations for the user entity are:

Create

View/Modify

Browse

Delete

Disable

Enable

Bulk Operations

See Also:

"Managing Users" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the operations related to the user entity

A complete list of attributes managed via configuration management feature can be obtained by the operations performed on an entity. For example, for searching users through advanced search, a set of searchable user attributes is displayed for performing the search. After the search operation is completed, search results involving a set of attributes are displayed. These attribute sets are managed by using the configuration management feature.

The Configuration Management UI in the Oracle Identity Administration is used to define user entity data structure and attributes. The availability of configuring attributes in the UI is subject to permissions that are controlled by authorization policies. See "User Management" and "Authenticated User Self Service" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about authorization policies for managing users and self service operations.

This chapter describes user configuration management in the following sections:

13.1 Entity Configuration Operations

Entity configuration operations allow you to define the set of attributes for the user entity. You can add new and custom attribute definitions and modify the existing ones. In addition to the attributes defined by default, you can define your own attributes for the user entity.

Note:

To access the Configuration Management section in the Advanced Administration, the user must have authorization to configure the user attributes. For more details, see "User Management Configuration" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

13.1.1 Listing Entity Attributes

To list the entity attributes in the Configuration Management console:

Login to the Oracle Identity Manager Advanced Administration.

In the Welcome page, under Configuration, click User Configuration. Alternatively, you can click the Configuration tab, and then click the User Configuration tab.

On the left pane of the console, from the Actions menu, select User Attributes. The User Attributes page is displayed with a table containing all user attributes that are defined in the User.xml configuration file.

The unique name for the attribute. It is also used as the caption when this attribute is displayed on the user profile page.

Order in Category

The order of the attributes within the category. The attributes are displayed on the User Management console based on this order.

Attribute Type

Whether the type of the attribute is System or user-defined field (UDF). System attributes cannot be deleted and have restrictions on their modifications.

Backend Data Type

The data type of the attribute in the backend datastore.

Display Type

The display type of the attribute in the User Management console.

You can select a row in the User Attributes table and perform operations, such as creating or modifying attributes, which are described in the subsequent sections.

Note:

Any administrator user cannot access the Configuration Management section in Oracle Identity Manager Administration. The user must have authorization to configure the user attributes.

In the Category Name column, expand a category name by clicking the icon to the left of the category name. The attributes under the category are listed in the Attribute Name column.

13.1.2 Creating Entity Attributes

To create new attributes for an entity:

In the User Attributes page, from the Actions menu, select Create Attribute. The Create Attribute wizard is displayed.

In the Set Attribute Details page of the wizard, enter values in the fields. Table 13-2 lists the fields in the Set Attribute Details page:

Table 13-2 Fields in the Set Attribute Details Page

Field

LOV Types

Description

Attribute Name

This is the unique name for the attribute. It is also used as the caption when this attribute is displayed on the User profile page.

Backend Attribute Name

This is the name of the field that will be created in the user backend schema to store the value specified for this attribute while creating or modifying users . Oracle Identity Manager automatically prefixes the Backend Attribute Name with "USR_UDF.".

Category Name

This is the category name to which the attribute belongs. The categorization is used to organize the data in the UI.

Backend data type is the data type of the attribute in the backend datastore. This is stored in the User.xml file along with the attribute definition.

Frontend data type indicates the data type of the attribute as interpreted by Oracle Identity Manager. This is stored in the User.xml file along with the attribute definition. This is not displayed in the UI.

See Also: The "Attribute Properties" section for information about properties to be configured for each attribute

LOV Type

This field is hidden by default. If the display type is selected as List Of Values, then the LOV-related fields are displayed. The LOV Type can be System Generated, Admin Configured, and By Query.

System Generated

The user can specify existing LOVs. For example:

Select System Generated as the LOV Type.

The LOV Search Options points to the Contains operator by default. In the LOV Code field, enter country, and click Search. The list of available LOV codes matching the search criteria is displayed in the Avaliable LOV Codes list.

Select Lookup.Locations.Country and move to the Selected LOV codes list by clicking the right arrow. Only one LOV code should be moved to this list. Then, click Next, and complete the rest of the steps in the wizard as described in this section.

After saving the attribute, a drop-down list with country codes is displayed in the user details page.

Admin Configured

The user can add this LOV. For example:

Select Admin Configured as the LOV Type.

In the LOV Code field, enter level. For a LOV code, you can add multiple LOV options and corresponding LOV descriptions.

In the LOV Options field, enter L1, and in the LOV Options Description field, enter Executive. Then, click Add. The LOV option and description is added and are displayed on the page.

To add another value, in the LOV Options field, enter L2. and in the LOV Options Description field, enter Senior Executive. Then click Add.

After adding multiple values, click Next, and complete the rest of the steps in the wizard as described in this section.

After saving the attribute, a drop-down list with the values specified in the LOV Options Description field are displayed in the user details page.

By Query

The LOV Code and LOV Options fields are not displayed. Instead, the following fields are displayed:

- LOV Query: In this field, you can specify any SQL query that is valid in the Oracle Identity Manager database schema.

- LOV Column to Display: This is a list showing all the columns from the select query. The selected column values are available on clicking a search icon on the pages for creating or modifying the user entity. For example, you might want to display Manager Name instead of Manager Key.

- LOV Column to Save: This is a list showing all columns from the select query. The selected column value is the one that is saved in the backend store when the user makes a selection in the dropdown available on the pages for creating or modifying the user entity. For example, you can display Manager Name, but want to save Manager Key value.

Note: A list of values is already defined in the LKU and LKV tables in the database. For administrator specified, the user must specify an LOV code. This is stored in the LKU table. Associated with each code are the list of values. The user must add new values here. These values are stored in the LKV table and are used as this attribute's LOV values. For system generated, the user can search for LOV codes, and then select a code. Values already exist for this code in the LKV table and are used as this attribute's LOV values.

The following is an example of setting the By Query LOV type:

Select By Query as the LOV Type.

In the LOV Query field, enter SELECT USR_FIRST_NAME as FirstName , USR_LOGIN as UserLogin FROM USR WHERE USR_STATUS = 'Active'.

In the LOV Column to Display list, select FIRSTNAME.

In the LOV Column to Save list, select USERLOGIN and click Next, and complete the rest of the steps in the wizard as described in this section.

After saving the attribute, a search icon against this attribute is displayed in the user details page. The user can search and select value for the attribute. FIRSTNAME is displayed in the user details page and USERLOGIN is saved in the backend store.

LOV Code

This is the code to identify the LOV. For system-generated LOV, this value must be of an existing LOV code.

Note: The LoV Code, LOV Options, and LOV Options Description fields are displayed only when Display Type is selected as List Of Values. For other display types, these fields are not displayed.

LOV Options

This is displayed only if the LOV Type is administrator specified. The user must specify the LOV values here.

LOV Options Description

These are the descriptive LOV options.

Note:

You cannot remove a value from the list of values.

Click Next. The Set the attribute properties page is displayed.

Enter values for the attribute properties. Table 13-3 lists the fields in the Set Properties page:

Table 13-3 Fields in the Set Properties Page

Field

Description

Read Only Value

Determines if the attribute is a read only attribute

Encryption

Determines if the attribute value is stored in encrypted or clear formats

Visible

Determines if the attribute is displayed on the UI

Attribute Size

The maximum size the attribute value can take

Searchable

Determines if the attribute is searchable

Bulk Updatable

Determines if the attribute can be modified while modifying multiple users at the same time.

Default Value

The default value of the attribute to be displayed on the user details.

Click Next. The Confirm page of the Create Attribute wizard is displayed with information that you entered for creating the attribute.

Review the attribute information, and then click Save. The MDS schema, which is the User.xml file, and the DB schema are updated with the new attribute. The new attribute added is displayed in the User Management section based on the properties set. See "User Management" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about authorization policies for the user management.

Note:

To make the newly created attribute that can be viewed or modified in the User Profile, you must create appropriate authorization policies. See "Managing Authorization Policies" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about authorization policies.

13.1.2.1 Attribute Properties

For each attribute, you must configure the following properties:

Required: Determines if every user in the repository must have a non-null value for this attribute. For predefined users, the required attributes have values. If you create a user, you must provide a value for the required attribute. An existing attribute cannot be modified to required unless the attribute has values for all the existing users.

Read-Only: Makes an attribute read-only, which means that the attribute cannot be modified irrespective of the authorization policy. Some attributes in the UI must always be read-only. These include the system-controlled attributes and may include custom attributes.

System Controlled: Determines if the value can only be set and edited by Oracle Identity Manager.

Encrypted: Determines if the value is stored in the repository in reversible encrypted or clear formats.

Searchable: Determines if the values can be used in simple as well as advanced searches. An attribute must be configured for use in simple search or advanced search by modifying the search configuration. See "Search Operation Configuration" for information about configuring search operations.

Bulk Updatable: Determines if the attribute can be updated during a bulk modify operation.

Size: Indicates the max size that the value for this attribute can take.

Default Value: The default value of the attribute, which is the value that will be populated in the backend store if no value is provided while creating the user entity.

Note:

When you create a new UDF, you must add a corresponding entry in any custom resource bundle. The naming convention for the entry is:

global.udf.BACKEND_UDF_NAME=DESCRIPTION_DISPLAYED_ON_THE_UI

For example: global.udf.USR_UDF_ATT=Attestation

After adding the entry, upload the resource bundle to MDS by using the Upload JAR utility. See "Upload JAR Utility" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about this utility.

13.1.3 Modifying Entity Attributes

The Modify Attribute operation allows you to edit the attributes specific to user entity. To do so:

In the User Attributes table, select an attribute.

From the Actions menu, select Modify Attribute. The Modify Attribute page is displayed.

On the Modify Attribute page, edit the attribute details and attribute properties. You cannot edit the Attribute Name and Display Type fields.

(Optional) Click Preview User Profile to display a preview of the user profile.

The Preview User Profile feature renders a hypothetical page that contains all available categories and attributes. This feature helps you review the Profile before saving it to the database. Note that a user may not be able to view all of the categories and attributes shown due to user permissions and other constraints.

Click Save to save the changes.

For attributes with default values, only the following modifications can be done:

Modifying the default value of the attribute.

Modifying the visible property of the attribute.

If an attribute has a default value and is nonrequired, then that attribute can be changed to be required. If an attribute is nonrequired and it does not have a default value, then the attribute cannot be changed to required.

13.1.4 Deleting Entity Attributes

The Delete operation allows you to delete an attribute. To delete an attribute:

In the User Attributes table, select a row.

From the Actions menu, select Delete Attribute. A message box is displayed asking for confirmation.

Click OK. A message is displayed confirming that the attribute is deleted.

On performing the delete operation, the actual attribute in the backend is not deleted. The existing data is not affected and audit logs continue to display the data. The deletion happens only in the MDS schema (User.xml).

Note:

Default attributes cannot be deleted. Only user-defined attributes can be deleted.

13.1.5 Performing Category Configuration

A category is a logical entity to display the related information or attributes together. Category configuration allows you to organize the data in the UI. The following categories are available by default:

Basic User Information: This contains the user's personal information such as first name, last name, e-mail, and organizational information, for example manager or department.

Account Settings: This contains the user login and password information.

Account Effective Dates: The dates on which the user account is activated or deactivated.

Provisioning Dates: The dates on which the user account is provisioned and deprovisioned.

Lifecycle: This is for attributes for user account locked, manually locked, or the date when the account will be automatically deleted. These are not displayed on the UI.

System: These include attributes that are used internally by the application, such as login attempts by the user, the date when the user is created, and user password cannot be changed. These are not displayed on the UI.

Other User Attributes: This contains the remaining attributes of the user.

Custom Attributes: This is an empty category. Attributes are added here by the Deployment Manager while importing from Oracle Identity Manager release 9.1.0 UDFs.

Preferences: This contains the attributes that control the user preferences. For example, Locale and Timezone.

13.1.5.1 Creating Category

Create category operation allows you to add new categories. To create a new category:

In the User Attributes page, from the Actions menu, select Add Category. The Create Category dialog box is displayed.

In the Category Name field, enter the name of the category.

Click Save to create the category. A message is displayed stating that the category is successfully created.

Click OK.

13.1.5.2 Renaming Category

The category names that are displayed in the UI are taken from the resource bundles. To change the display name of a category, you must change the value in the resource bundle.

13.1.5.3 Deleting Category

You can delete only empty categories. To delete a category:

In the User Attributes page, select an empty category that you want to delete.

From the Actions menu, select Delete Category. A message box is displayed asking for confirmation.

Click OK. A message is displayed that confirms the deletion.

Click OK.

13.1.5.4 Ordering Attributes Within a Category

You can specify the order of the attributes within the category. The attributes are displayed on the User Management section based on this order.

To order the attributes within a category:

In the User Attributes page, select a category whose attributes you want to order.

From the Actions menu, select Order Category Attribtues. The Order Category Attributes dialog box is displayed with all the attribute names within the selected category.

Edit the numbers corresponding to each attribute to specify the attribute's order in the category.

Click Save.

13.2 Search Operation Configuration

The search operation allows searching of user entities based on a query provided by the user. You can configure the attributes for the search operation, the search results table, and the full table for simple/advanced search.

Searchable attributes define the set of attributes to which the search string is applied when performing the simple search. By default, the display name, user name, first name, and last name searchable attributes are configured for simple search. The same are configured by default for advanced search.

Result attributes define the set of attributes that is returned by the search operation. You can define the columns to display in the search results, and the subset to display in the limited search result table for simple search.

You can configure the available attributes for use in simple search and advanced search queries. In addition, you can configure the attributes that you want to be displayed in the search results table. To do so:

On the left pane in the User Configuration section, from the Actions menu, select Search Configuration. The User Search Configuration page is displayed, as shown in Figure 13-1:

In the Simple Search: Search Attributes section, select the attributes that you want to make available for simple search. Click the move and move all icons to add the attributes for simple search. You can also click the remove and remove all icons to remove attributes from the search.

In the Advanced Search: Search Attributes section, select the attributes that you want to make available for advanced search. Click the move and move all icons to add the attributes for advanced search.

In the Search Results Table Configuration section, select the attributes that you want to display in the search results table. Click the move and move all icons to add the attributes for the search results table.

Click Save.

Note:

The Modify and Create operations are not configurable to this level. All the attributes are displayed as editable on the User Management UI, with the following exceptions:

Attributes with property Visible=No
Attributes with property System Controlled=Yes"

The users that are members of the System Administrators role are authorized to perform all user configuration operations. The operations are defined by the permissions set for the default authorization policy for this feature. Table 13-5 lists the permissions:

Table 13-5 Authorization Permissions

Permission

Description

Create Attribute

Decides if adding attributes is enabled in the UI for the user. This permission is also used at the API level to decide if the user can add an attribute.

Update Attribute

Decides if updating all attributes is enabled in the UI for the user. This permission is also used at the API level to decide if the user can update attributes.

Delete Attribute

Decides if deleting an attribute is enabled in the UI for the user. This permission is also used at the API level to decide if user can delete an attribute.

Add Category

Decides if adding categories is enabled in the UI for the user. This permission is also used at the API level to decide if the user can add a category.

Order Category Attribute

Decides if updating attributes is enabled in the UI for the user. This permission is also used at the API level to decide if the user can update a category.

Delete Category

Decides if deleting categories is enabled in the UI for the user. This permission is also used at the API level to decide if the user can delete a category.

Add Derived Attributes

Decides if adding derived attributes is enabled for the user. The option to add derived attributes is available at the API level only.

Set Search Attributes

Decides if searching configuration is enabled in the UI for the user. This permission is also used at the API level to decide if the user can update simple search and advanced search, and search table attributes.

This section describes how to synchronize user-defined fields (UDFs) between Oracle Identity Manager and LDAP. After creating a user-defined field using the Oracle Identity Manager Advanced Administration Configuration Service, you must extend the OVD and OID schema by adding the new attribute before you can synchronize that attribute. For example, assume you created an Oracle Identity Manager attribute named Employee ID and that the corresponding column name in the USR table is USR_EMPLOYEE_ID. You must add the Employee ID attribute to the orclIDXPerson objectclass in both OVD and OID.

See Also:

OVD and OID documentation for information about adding new attributes to the schema.

Synchronization between Oracle Identity Manager UDFs and LDAP can be achieved in following ways:

13.4.1 Synchronizing the Attribute Manually

Use the following steps to synchronize the attribute:

Note:

You cannot directly map a multi-valued attribute in a directory to a similarly multi-valued attribute in Oracle Identity Manager. Therefore, you can propagate only single-valued attributes from LDAP to Oracle Identity Manager.

Extend the OVD and OID schemas by adding the emplyeeid attribute to the orclIDXPerson objectclass in both OVD and OID.

To propagate the attribute value from Oracle Identity Manager to LDAP, perform the following steps:

Import the RA_LDAPUSER.xml file back into MDS. After importing, verify that the full path in MDS is /db/RA_LDAPUSER.xml.

13.4.2 Synchronizing UDFs Between Oracle Identity Manager and LDAP By Using the ldapsyncudf Utility

You can automate the synchronization of UDFs between Oracle Identity Manager and LDAP by using the ldapsyncudf.sh utility.

This utility takes care of both provisioning and reconciliation of UDFs, and it is recommended that you synchronize UDFs by using this utility. If you want to provision UDFs without reconciliation, or if you want to reconcile UDFs without provisioning, then you must run the process manually as described in "Synchronizing the Attribute Manually".

Using the ldapsyncudf.sh script is described in the following sections:

13.4.2.1 Configuring the Properties File

You can configure properties in the ldapconfig.props file before running the ldapsyncudf.sh script to achieve UDF synchronization. These properties are used by the client to connect to the service provided by Oracle Identity Manager. These properties can also be specified through console if properties file does not exist or does not contain property values.

You can configure the following properties:

OIMServer type: The application server type, such as Oracle WebLogic Server. If no value is specified, then Oracle WebLogic Server is the default value.

OIMProviderURL: Oracle Identity Manager provider URL. This is in the format t3://HOST_NAME:PORT.

If the value is not specified in the properties file, then you are prompted to enter the value when running the ldapsyncudf.sh script.

OIMAdminUser: Oracle Identity Manager administrator user login.

If the value is not specified in the properties file, then you are prompted to enter the value when you run the ldapsyncudf.sh script.

SkipOVDValidation: Whether or not LDAP attribute validation in OVD schema is skipped.

By default the value is false. If the value of this property is true, then the LDAP attribute is not validated in OVD schema and it can be configured after running the utility. The utility makes the changes in MDS and horizontal tables.

13.4.2.2 Configuring the Input File

The input to the utility can either be provided through an input file or at runtime in interactive mode as prompted through the console. If the input is provided though an input file, then it must be in the following format:

ENTITY_TYPE, OPER_TYPE, UDF_NAME, LDAP_ATTR

Note:

The parameters must be separated by comma (,). Any line beginning with the hash character (#) is treated as comment and is not processed by the utility.

The input parameters are:

ENTITY_TYPE: The valid values can be either USER or ROLE. The values are not case-sensitive.

OPER_TYPE: The valid values can be either ADD or DELETE. The values are not case-sensitive.

Tip:

Update is not supported. To perform an update, first perform delete followed by add. A new definition is picked from Oracle Identity Manager entity definition file present in the MDS.

UDF_NAME: The valid values can be any Oracle Identity Manager entity attribute, which has been created successfully. If the UDF_NAME does not exist, then an error message is displayed. The value is case-sensitive.

LDAP_ATTR: The valid values can be any LDAP attribute present in the LDAP directory server as well as in the OVD schema. The LDAP_ATTR parameter is optional for the DELETE operation. If this parameter value is specified for the DELETE operation, then this attribute value is ignored. The value is case-sensitive.

Run the ldapsyncudf.sh script with help, –help, or --help command-line parameter to display usage details and general help.

You can run the utility in any one of the following ways:

Both the command-line parameters are optional. If the command-line parameters are not specified, then you are prompted to enter the parameters at runtime through the console, as shown:

Enter Entity Type (User / Role):

Specify the Oracle Identity Manager entity type, which is USER or ROLE.

Enter Operation Type (Add / Delete):

Specify the operation type, which is ADD or DELETE.

Enter OIM UDF Name to be Synchronized:

Specify the Oracle Identity Manager entity attribute which has been created successfully.

Enter the LDAP attribute name in LDAP schema:

Specify the LDAP attribute present in the LDAP directory server as well as in the OVD schema. This is an optional parameter for the DELETE operation.

One set of operation is completed. If the operation is successful, then you are prompted, as shown:

Want to continue adding / deleting more attributes (y/n)?

Enter y if you want to start the input process for another operation. Otherwise, enter n to end the program.

Run the utility with values for the -Dinputfile and -Dconfig.properties command-line parameters. The input is read from the input file. The input file can contain multiple inputs, one per line. Each input contains four parameters for ADD operation or three parameters for DELETE operation. If you provide the fourth parameter for a DELETE operation, then it is ignored.

13.5 Configuration Management Architecture

For all attribute definitions and the Configuration Management pages in the UI, the configuration file for maintaining the user entity attributes is User.xml. This configuration file defines all attributes of user entity and their properties. The mapping of the attribute to the backend attributes or columns is also specified in the file. The attributes to be displayed on the UI are determined based on the attribute properties. For example, if an attribute is system-controlled, then the attribute is not displayed in the UI.

The entity XML files are stored in MDS. When a new attribute is added, the database schema is updated along with the entity XML in MDS. The configuration service APIs can be used to fetch the attribute information and can be leveraged while building custom UI.